eHarmony Hacked – Kind Of

Has dating site eHarmony been hacked? Well, it depends on which eHarmony you mean, apparently. Rumors of a security breach at the site first surfaced yesterday, but eHarmony was quick to reassure its members that it was not the actual eHarmony dating site that had been attacked, but instead an ancillary site called eHarmony Advice. The hacker did gain access to user names, email addresses and passwords for those using eHarmony Advice message boards, according to an official statement from the site, which added:

Please be assured that eHarmony uses robust security measures, including password hashing and data encryption, to protect our members’ personal information. We also protect our networks with state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches. As a result, at no point during this attack did the hacker successfully get inside our eHarmony network.

In addition, please note that there was very little overlap between the eHarmony Advice data obtained and the data that resides within other properties. We have taken appropriate steps to remedy the situation and have notified any potentially affected customers, who comprise an extremely small fraction of our total eHarmony.com user base (less than 0.05 percent).

Joseph Essas, CTO of eHarmony, says that the hacker – Chris Russo, according to Brian Krebs, who broke the story yesterday – exploited a security vulnerability in a third party library eHarmony was using for content management:

Once we learned the nature of the exploit, we obviously closed it on the network layer and offered the third party vendor help with patching the software, as we do not have access to their source code… Despite his reports to you, we have found no evidence to suggest that Russo has successfully compromised at the network level our corporate email and eHarmony site environments.

Essas also said that the company was looking into legal options regarding Russo’s hack.